Configure EclecticIQ Platform Integration

Configure EclecticIQ Platform Integration for IBM Resilient.

After installing the app, you can proceed to set it up.
The app setup consists of the following steps:

  1. Create the configuration file for the app.

  2. Set the passwords for the IBM Resilient and the EclecticIQ Platform users that consume the integration.

  3. Create a message destination to store data and to make it available programmatically to external scripts.

Create the configuration file

The app.config file holds the app configuration parameters that define the integration behavior in IBM Resilient.

  1. To create an app.config configuration file, run the following command:

    resilient-circuits config -c

    By default, app.config is stored in /home/resadmin/.resilient .
    If the file already exists, you are prompted to replace it.
    In this case, press N to cancel the operation.

  2. Open app.config in a text editor such as Vim or Nano:

    vi /home/resadmin/.resilient/app.config

In the app.config file, edit the [resilient] stanza to set up the integration for the IBM Resilient service, and edit the [eclecticiq] stanza to define the EclecticIQ Platform-specific parameters.

  1. Edit the [resilient] stanza to specify the correct settings for your configuration:

    Field

    Description

    Example

    host

    Enter the IP address of the host the IBM Resilient instance runs on, and where incidents are processed.
    If your IBM Resilient is deployed on a single machine, and if it is not part of a distributed installation, set the host to 127.0.0.1.

    127.0.0.1

    port

    Enter the port number you want to assign to the integration.
    The resilient-circuits integration module listens to this port.
    The default port is 443.

    Data flow uses the TCP transmission protocol.

    443

    email

    Enter the email address associated with the integration user you previously defined in IBM Resilient.

    [email protected]

    password

    Enter the set-password alias corresponding to the password associated with the integration user you previously defined in IBM Resilient.

    The configuration file stores content in plain text.
    We recommend using IBM Resilient res-keyring to store passwords, and to represent them in plain text with aliases.
    res-keyring aliases must begin with a caret (^).
    Example: ^my_very_secret_password

    ^res_password

    org

    Enter the organization name associated with the integration user you previously defined in IBM Resilient.

    Empire

    cafile

    To use the IBM Resilient server self-signed certificate, see the comment right above this field in the app.config file.

    To disable certificate validation, set it to false.

    false

    Example:

    [resilient]
     
    # Basic service connection
    host=127.0.0.1
    port=443
    [email protected]
    password=^res_password
    org=Empire
     
    ...
     
    cafile=false

  2. Edit the [eclecticiq] stanza to specify the correct settings for your configuration:

    Field

    Description

    Example

    eclecticiq_url

    Enter the URL pointing to the EclecticIQ Platform instance you want to integrate with IBM Resilient.
    The platform instance must be able to communicate with the IBM Resilient host through the resilient-circuits integration module.
    By default, the communication port is 443.

    https://eclecticiq-instance.local.com

    eclecticiq_user

    Enter a valid user name to sign in to and to access the EclecticIQ Platform instance.

    admin

    eclecticiq_password

    Enter the res-keyring alias corresponding to the password associated with the platform user name.

    The configuration file stores content in plain text.
    We recommend using IBM Resilient res-keyring to store passwords, and to represent them in plain text with aliases.
    res-keyring aliases must begin with a caret (^).
    Example: ^my_very_secret_password

    EclecticIQ Platform integration for IBM Resilient version 1.1.5 and newer

    You can use an EclecticIQ Platform user's API token in the eclecticiq_password field instead of a password.
    For more information on creating API tokens, see Create an API token.

    ^eclecticiq_password

    eclecticiq_ssl_check

    Enter a True or False Boolean value to enable or disable SSL certificate validation:

    • To check the EclecticIQ Platform certificate, set it to True.

    • To allow self-signed platform certificates, set it to False.

    False

    sightings_auto_creation

    Enter a True or False Boolean value to enable or disable automatic sighting creation:

    • To enable IBM Resilient to automatically create sightings in the platform when it detects hits, set it to True.

    • To disable this feature, set the field value to False.

    True

    sightings_group_name

    Enter a valid EclecticIQ Platform user group name.
    This group corresponds to the data source of the sightings IBM Resilient creates in the platform.

    Testing Group

    Example:

    [eclecticiq]
     
    # API credentials
    eclecticiq_url=https://eclecticiq-instance.local.com
    eclecticiq_user=admin
    eclecticiq_password=^eclecticiq_password
    eclecticiq_ssl_check=False
     
    # Sightings parameters
    sightings_auto_creation=True
    sightings_group_name=Testing Group

Every time you edit app.config and you save your changes, you must:

  1. Reinstall the app.

  2. Stop, and then start the resilient-circuits integration module.

# Go to the '/home/resadmin' directory.
cd /home/resadmin
 
# Reinstall the app.
# 'x.x.x' is a placeholder representing the app release.
# Example: 1.1.2
sudo pip install -e rc-cts-eclecticiq-x.x.x
 
# After manually stopping the integration module, start it again.
resilient-circuits run
# Successful response.
resilient-circuits has started successfully and is now running...
Subscribe to message destination 'eclecticiq_sighting'
Subscribe to message destination actions.201.eclecticiq_sighting

Set the passwords

The configuration file stores content in plain text.
We recommend using IBM Resilient res-keyring to store passwords, and to represent them in plain text with aliases.
res-keyring aliases must begin with a caret (^).
Example: ^my_very_secret_password

res-keyring relies on an existing keyring password manager already installed on the system.

res-keyring prompts users to assign a hidden password to a specified alias.
After assigning the alias a password, the latter is stored as a secret.

This is a one-time operation: after setting up the alias/password pairs, you do not need to repeat this task, unless you want to change the password values.

By default:

  • The configuration file res-keyring looks for values beginning with a caret (^) in /home/resadmin/.resilient/app.config.

  • Secrets are stored with keyrings.alt.file.

To set password aliases for the IBM Resilient and the EclecticIQ Platform users that consume the integration:

  1. Run the following command to launch res-keyring:

    res-keyring

  2. res-keyring searches the app.config file for values beginning with a caret, and then it prompts users to assign each alias a password:

    [resilient] password: ^res_password
    Enter new value (or <ENTER> to leave unchanged):
     
    [eclecticiq] eclecticiq_password: ^eclecticiq_password
    Enter new value (or <ENTER> to leave unchanged):
     
    Done.

    Make sure you enter the correct passwords associated with the IBM Resilient and the EclecticIQ Platform users specified in the app.config file in the email and the eclecticiq_user fields, respectively.

Create a message destination

A message destination stores the data the sighting creation action generates and requires to work correctly, and it makes the data available programmatically to external scripts.
Set up a subscription to the eclecticiq_sighting message destination for the integration to work correctly:

  1. Open a web browser, and log in to IBM Resilient through the GUI.

  2. Click the user menu.

  3. From the drop-down menu select Customization Settings.

  4. Under Customization Settings, click the Message Destinations tab.

  5. In the Message Destinations tab, click the Add Message Destination button.

  6. In the Create Message Destination dialog window, populate the configuration fields:

    1. From the Type drop-down menu, select Queue.

    2. In the Name field, enter a short and descriptive name for the message destination rule you are creating.
      Example: Manual EclecticIQ sightings

    3. In the Programmatic Name field, enter eclecticiq_sighting.
      The manual sighting creation setup works only if you specify exactly this value.

    4. From the Expect Acknowledgement drop-down menu, select Yes.

    5. In the Users field, start typing one or more IBM Resilient user names that can access and use the manual sighting creation feature.
      The field supports autocomplete.

    6. Click Create to add the new message destination, or Cancel to discard your changes.

  7. The new message destination is available as a new entry in the Message Destinations tab.
    To edit or to remove a message destination, click the corresponding entry in the Message Destinations tab.


After creating a message destination and after starting the resilient-circuits integration module, IBM Resilient may return Java error messages, and it may fail to work correctly.

If this occurs, restart the IBM Resilient instance t o solve the problem.